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Preface 


Welcome to Qualys Cloud Platform! In this guide, we’ll show you how to install and use the 
Qualys Web App Scanning Connector to see your Qualys WAS scan data in TeamCity. 


About Qualys 


Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and 
compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses 
simplify security operations and lower the cost of compliance by delivering critical security 
intelligence on demand and automating the full spectrum of auditing, compliance and 
protection for IT systems and web applications. 


Founded in 1999, Qualys has established strategic partnerships with leading managed service 
providers and consulting organizations including Accenture, BT, Cognizant Technology 
Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT, Optiv, 
SecureWorks, Tata Communications, Verizon and Wipro. The company is also a founding 
member of the Cloud Security Alliance (CSA). For more information, please visit 
www.qualys.com 


Qualys Support 


Qualys is committed to providing you with the most thorough support. Through online 
documentation, telephone help, and direct email support, Qualys ensures that your questions 
will be answered in the fastest time possible. We support you 7 days a week, 24 hours a day. 
Access support information at www.qualys.com/support/ 
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Introduction to Qualys Web App Scanning Connector for 
TeamCity 


The Qualys Web App Scanning Connector empowers DevOps teams to build application 
vulnerability scans into their existing CI/CD processes. By integrating scans in this manner, 
application security testing is accomplished earlier in the SDLC to catch and eliminate security 
flaws. 


We'll help you: Install the Plugin | Configure the Plugin 


Download and Install the Plugin 


You can download the plugin from Qualys Community page. The plugin comes in the form of a 
zip file. Once you have the zip file, log into your instance of TeamCity and go to Administration. 
Under Administration, click Plugins List. On the Plugins List page , click Upload plugin zip. 


fe Ep Plugins List 


This TeamCity installation has 97 plugins 


Browse plugins repository + Upload plugin zip 


Periodically check for plugin updates Check Now 


Bundled plugins 


Plugin Name Version Vendor Home Path 
Apache Ant runner support nsss letBrains, stc <WEB-INF> /pluginssant 
Apache Ant distribution rebundled by JetBrains 71364 Jetärains, sro <WED-INF> /phugina/ant-toct Disable 
Tools 
Duplicates Finder Uava) 73364 etBrains, sr. <WEB-INF» /plugins/Duptcator Disable 
FxCop support 11268 3 
Gant runner support 71364 sable 
IntelliJ IDEA based code inspections 11568 the t 
od yuat 
Email Notifier IntelliJ IDEA project runner 74364 sabh 
ne howe JVM crash detector 71364 etBrains, 34 vat 
Diagnostics 
EO Maven support 71364 sable 
Projects Import TeamCity.BitBucketlssues 74264 Jetürains, 5.10 INF > /phugins/TeamC ty ditbucketlssueszip Disable 
Ucenses > sol wack ae 
Cleanup Settings TeamCity.GitHublssues 71384 etBrains, sa «WEB-INF> /plugins/TeamCity GitHublesuesap 
Usage Statistics s é 


Shared Resources 71364 etfraint, sra <WER-INF >/plugint/TeamCity SharedResources 2p 


On the Upload plugin zip screen, choose the plugin zip file and click Upload plugin zip. 


Upload plugin zip 


Plugin | Choose File | QualysWASPI...n-1.0.1.zip 


Upload plugin zip Cancel 
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After uploading the plugin installation file, you will see the plugin listed under the External 
plugins section. À message is shown to enable uploaded plugins. Click Enable uploaded plugins. 


Krc} Projects | © Changes Agents 0 DO Build Queue 0 GP|v Administration Q 


Administration 


Project-related Settings 


Projects Plugins List 
All Builds This TeamCity installation has 98 plugins (including 1 external) 
Build Time 
Disk Usage Browse plugins repository + Upload plugin zip 
Server Health Ul Periodically check for plugin updates | Check Now 
Audit 
A Uploaded plugin: Qualys Web App Scanning Connector 
User Management Enable uploaded plugins | » Click to enable all the uploaded plugins 
Users 
Groups å 
External plugins 
Integrations Plugin Name Version | Vendor Home Path 
Tools 
À Qualys Web App Scanning Connector 101 Qualys Inc. <TeamCity Data Directory> /plugins/QualysWASPlugin- 
This connector allows you to run a scan using the Qualys Web Application 10.1zip 
Server Administration Scanning (WAS) service and get the security posture for the web application and 


visualize it. 
Global Settings 


Not loaded (new uploaded plugin) 


Authentication 


Optionally, if you want to enable only Qualys Web App Scanning Connector, then in the table 
under the External plugins section, go to the row that displays Qualys Web App Scanning 
Connector and click the drop-down in the last column and select Enable. 


External plugins 


Plugin Name Version Vendor Home Path 
À Qualys Web App Scanning Connector 1.0.1 Qualys Inc. <TeamCity Data Directory>/plugins/QualysWASPlugin- Ev 
This connector allows you to run a scan using the Qualys Web Application 1.0.1.zip 
Scanning (WAS) service and get the security posture for the web application and Enables: 
visualize it. 
Delete... 


Not loaded (new uploaded plugin) 


Plugin will be enabled without restarting the server. If you want to restart the server and then 
enable the plugin, click Cancel. 


Enable 'Qualys Web App Scanning Connector' plugin 


Enable the plugin without server restart? 


External plugins 


Plugin Name Version Vendor Home Path 

Qualys Web App Scanning Connector 1.0.1 Qualys Inc. <TeamCity Data Directory>/plugins/QualysWASPlugin- 
This connector allows you to run a scan using the Qualys Web Application 1.0.1.zip 

Scanning (WAS) service and get the security posture for the web application and 

visualize it. 


That's it! The installation is now complete. Read on to learn about configuring the plugin. 
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Configure the Plugin 


Go to your project in TeamCity and click Add build step. 


pr) Projects Changes Agents å []  BuidQueue 0 GP Administration 
C was 
General Settings Build Steps 


Version Settings figure the sequence of build steps to È 
Build Step: Sean web application... 
me ai + Add build step Reorder build steps 
$u ons 1 
Show more » 


Build Step Parameters Description 


Select “Scan web applications with Qualys WAS” from the drop-down menu. 


New Build Step: |v 


Runner type: |-- Choose build runner type -- 
NAnt = 
NuGet Installer 
NuGet Pack 
NuGet Publish 
NUnit 
PowerShell 
Rake 
Simple Build Tool (Scala) 
SMB Upload 
SSH Exec 
SSH Upload 
Visual Studio (sin) 
Visual Studio 2003 
Visual Studio Tests 
Xcode Project v 


Now you are ready to configure the plugin. 
Next, provide a name to the build step and then go to the Qualys API Credentials section. 


This step is to confirm that TeamCity can communicate to the Qualys Cloud Platform via the 
WAS API. You'll need valid account credentials for an active Qualys WAS subscription. The 
account must have API access enabled as well as a role assigned with all necessary permissions. 
Qualys recommends using a service account restricted to API access only (no UI access) and 
having the least privileges possible. 


Select the Qualys platform/portal where your Qualys account resides. On selecting the platform, 
we will show you the API server URL of the selected platform. Enter your account credentials: 
API username and password for authenticating to the WAS API server. Note that what you select 
here depends on the Qualys platform your organization is using. Learn more. 
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If your TeamCity instance does not have direct Internet access and a proxy is required, click the 
"Use Proxy Settings" checkbox and enter the required information. 


Qualys API Credentials 
Your Qualys Portal: * 


API Server URL: * 


API Username: * 


API Password: * 


Use Proxy: 


[US Platform 1 x 


Select your Qualys Cloud Platform.What is my platform? 
https://qualysapi.qualys.com 


api_user 


The Qualys Account user name to use. This user will be used to authenticate through the Qualys API. 


The Qualys Account password of the given user, In order to authenticate through the Qualys API. 
wi 


If your Teamcity server sits behind a firewall and does not have the direct access to the Qualys API Server, you can specify the HTTP proxy details in the following fields to allow 


Teamcity to connect to Qualys API server. 


10.10.10.10 


Examples: 10.15.201.155, corp.proxyserver.company.com 
3128 
root 


Test Connection 


Click the "Test Connection" button. Assuming you have selected the correct platform for your 
subscription and the credentials are valid, you will see the message "Connection test 


successfull". 


Note that if your Qualys account resides on a private cloud platform, select “Private Cloud 
Platform” as your Qualys cloud platform, specify the API server URL and your account 
credentials to access the API. 


Qualys API Credentials 


Your Qualys Portal: * 


API Server URL: * 


API Username: * 


API Password: * 


Use Proxy: 


Private Cloud Platform Y 


Select your Qualys Cloud Platform.What is my platform? 


https://qualysapi.mycloud.com 


user_mypcp 


The Qualys Account user name to use. This user will be used to authenticate through the Qualys APL 


The Qualys Account password of the given user, In order to authenticate through the Qualys API. 


If your Teamcity server sits behind a firewall and does not have the direct access to the Qualys API Server, you can specify the HTTP proxy details in the following fields to 


allow Teamcity to connect to Qualys API server. 
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Next, select the web application in Qualys WAS that you wish to scan. 


Launch Scan API Parameters 


Select Web Application from WAS * 6.4 WAS Test. 12 feb i 


Select the Web Application from the dropdown list to launch WAS Scan, Please wait until all the web applications fetched from above configured Qualys Account. 


Scan Name: [job name] teamcity build [build number] 


Qualys requires scan names to be unique. To make this scan name unique, this plugin will always append execution time to this scan name. 
Additionally, 

- To add your Jenkins job name in the scan name, please add [job name]. 

- To add your Jenkins build number in the scan name, please add [build number]. 


Scan Type: VULNERABILITY Y 


The scan type to launch a new scan with 


DISCOVERY: A discovery scan crawls through your web application to find information without performing vulnerability testing. 


about the security posture of your web application. 


VULNERABILITY: A vulnerability scan crawls through your web application just like a discovery scan, but also performs vulnerability tests and sensitive content checks to tell you 


By default, the WAS scan name will be: 
[job_name]_teamcity_build_[build_number] + timestamp 


You can edit the scan name, but a timestamp will automatically be appended regardless. 
You can choose to run a Discovery scan or Vulnerability scan. The default is Vulnerability scan. 


Next, configure optional scan parameters. 


Optional Parameters 
Authentication Record | Use Default Y 


Specify [Other -> AuthRecord Name] set to an auth record, or [Use Default] to use the default auth record for the target web app. 


Option Profile: Use Default Y 


The name of the option profile that includes scan settings. 
Specify [Other -> Profile Name] set to an Option Profile, or [Use Default] to use the default Option Profile for the scan of target web app. 


Cancel Option: Cancel After X Hours Y 


set to [None] - Forces the use of the target web app's cancelScans option if set. 
Set to [Cancel After X Hours] to the one selected value from [Hours] dropdown to the specific value(range from 1 to 24 hrs ) while launching the scan. 


Hours: FT | 


Authentication Record — You can choose to run the scan without authentication (the default) but 
keep in mind the scanner will not be able to log into the web application and test the 
authenticated surface area of the application in that case. You may instead want to select "Use 
Default", in which case the default authentication record for the web app in WAS (if any) will be 
used. Optionally, you can also select the Other option and choose a specific authentication 
record ID if desired. 


Option Profile - The option profile contains the various scan settings such as the vulnerability 
types that should be tested (detection scope), scan intensity, error thresholds, etc. Selecting "Use 
Default" will use the default option profile for the web app in WAS. This is the recommended 
setting; however, you can also select the “Other” option and choose a specific option profile ID if 
desired. 


Cancel Options — The default is not to cancel the scan, in which case the scan will run to 


completion. However, you can choose to cancel the scan after a set number of hours. Keep in 
mind you may not get any results if the scan is canceled before finishing. 
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Next, configure the pass/fail criteria for a build. 


Fail Conditions 


By Vulnerability Severity: NOTE: Severity 1 rating is least severe and severity 5 is most severe 
) Fail with more than 5 Severity 1 vulns. 
_J Fail with more than 0 Severity 2 vulns. 
C Fail with more than 0 Severity 3 vulns. 
I Fail with more than 0 Severity 4 vulns. 
W Fail with more than 1 Severity 5 vulns. 


Fail the build if severity count is greater than the configured count. 


All severity level conditions are 'OR'ed together.> 
example: Fail with more than 0 Severity vulns OR Fail with more than 0 Severity2 vulns OR 


By Qualys WAS Vulnerability Identifiers (QIDs): ) Fail with any of these QIDs: —150001,150124,150179-150181 


Å comma separated list of QIDs to be checked in the vulnerabilities scan result. It can be simple comma separated list of QIDs or range of QIDs. eg. 150001,150124,150179-150181 


M) Fail the build if WAS could not scan the web application. 


You can set conditions to fail a build by 1) Vulnerability Severity, 2) Qualys WAS Vulnerability 
Identifiers (QIDs). You may also choose to fail the build in case the Plugin initiates the scan but 
WAS module could not complete this scan due to some issues such as scanners not found and so 
on. 


To fail the build by vulnerability severity, specify the count of vulnerabilities for one or more 
severity types. A build will fail if in scan results the number of detections exceeds the number 
specified for one or more severity types. For example, to fail a build if severity 5 vulnerabilities 
count is more than 2, select the “Fail with more than severity 5” option and specify 2. 


Note that a Qualys severity “5” rating is the most dangerous vulnerability while severity “1” is the 
least. 


Similarly, to fail a build by QIDs, select “Fail with any of these QIDs” check box and specify one 
or more QIDs. 


Next, configure scan status polling frequency and timeout duration for the scan. 


Timeout Settings 


Qualys WAS Scan results will be collected per these settings. For each enter a value in minutes or an expression like 2*60 for 2 hours. 


Frequency How often to check for data: 5 minutes. 


The polling interval in minutes. It is the time to wait between subsequent API calls. 
If this field is kept empty, plugin will by default use 5 minutes as frequency interval. 


Timeout How long to wait for scan results: 60°24 minutes. 


The timeout period for fetching scanned vulnerabilities data. The Qualys task will end after the timeout period. 
If this field kept empty, plugin will by default use 60°24 minutes as Timeout period. 


In the Timeout settings, specify the polling frequency in minutes for collecting the WAS scan 
status data and the timeout duration for a running scan. 


Click Save to save the Web application scanning configurations. 
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Qualys WAS Scan Status 


After the scan completes, the Qualys WAS Scan Status tab shows the scan results for the web 
application in the Build Summary tab. In the header of the scan results, we show you ScanID, 
scan name and scan status (finished/canceled). You can click the link shown in the Scan Report 
field to view the detailed WAS scan report on the Qualys portal. 


We also have these sections. The Results Summary section shows the success/fail status of web 
application scanning with other details related to scanning. 2) Results Stats section shows the 
counts of different types of vulnerabilities found in the scan and 3) Vulnerabilities section shows 
the total number of vulnerabilities found by severity in a graphical chart view. Move the mouse 
over the different colored sections of the chart to view the vulnerability counts for various 
severity types. 


Below these sections is the Pass/Fail Criteria Results Summary section that shows the pass/fail 
criteria and whether they are violated or satisfied. When the criteria are violated, the % icon is 
shown while for satisfied criteria, the Y icon is shown. 


Overview Changes Buildlog Parameters Artifact 
© Qualys 
Scan ID: 25477620 Scan Name: qualys_was_project_teamcity_build_78_2020-01-27-08-02 


Vulnerabilities Sean Report: Click here to view Scan Report on Qualys Portal 
Scan Status: FINISHED po e: 


Note Valid crecentrais for the Qualys Ut are required to view fhe report 


Scan Reference: was/ 1560112395420 37868864 Target URL: http //gxmad com 
Results Summary Results Stats Vulnerabilities (3) 


Results Støtus JCCESSFU Vulnerabilities 3 
Auth Status: Not Used information Gathered: 12 
Number of Requests Sensitive Contents 


Links Crawled: 


Pass/Fail Criteria Results Summary 


QIDs Severity 5 Severity 4 Severity 3 Severity 2 Severity 1 


v v x x v 


Fisies iena Ses riens = Ne comiques 


Move the mouse over the X and Y icons to view the value that you have configured for the 
criteria, and the actual value obtained after the scan. 


Pass/Fail Criteria Results Summary 


QIDs Severity 5 Severity 4 Severity 3 Severity 2 Severity 1 


Criteria Evaluation 


v x x v 


configured: 150001,150 


Found: None 


XViolates criteria /Satisfies criteria = Not Configured 
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The Vulnerabilities tab is available to provide you the details of vulnerabilities, such as QIDs, 
vulnerability titles, URLs where the vulnerabilities occur and authentication status. 


© Qualys. 
TÅ 7 r j x TT ` 
a QUALYS VULNERABILITIES RESULTS 
Vulnerabilities Show! 10 v entries 
QID Title URL Available Unauthenticated? 
Reflected Cross-Site Scripting (XSS) a 
150001 ste https://10.11.72.37/boq/parseAction.php Yes 
Reflected Cross-Site Scripting (XSS) i 
1 https://10.11.72.37/boq/| A hy Ye 
15000 Vulnerabilities ttps://10.11.72.37/bog/parseAction.php es 
150004 Path-Based Vulnerability https://10.11.72.37/boq/protected/mime/Web. Yes 
150004 Path-Based Vulnerability https://10.11.72.37/boq/protected/mime/APIs/.. Yes 
150004 Path-Based Vulnerability https://10.11.72.37/boq/protected/mime/WSD... Yes 
150004 Path-Based Vulnerability https://10.11.72.37/boq/protected/mime/APIs/ Yes 
150004 Path-Based Vulnerability https://10.11.72.37/boq/protected/mime/Web. Yes 
150004 Path-Based Vulnerability https://10.11.72.37/boq/protected/mime/admi Yes 
Showing 1 to 10 of 152 entries Previous 1 | 2 3 4 5 16 Next 


Troubleshooting 


You entered valid Qualys credentials, but the drop-down menu to select a Web application 
is empty or does not show the desired Web application. 


This issue occurs when the Qualys account provided does not have proper role or scope to access 
the web application you wish to scan. Ensure that the account has been set up with the required 
roles and scope to access the desired Web application. 


You entered valid Qualys credentials, but the drop-down menu for Authentication Record 
Name or Profile Name is empty or does not show the desired item. 


This issue occurs when the Qualys account provided does not have proper role or scope to access 
the auth record or option profile you wish to use. Ensure that the account has been set up with 
the required roles and scope to access the desired authentication record or option profile. 


URL to the Qualys API Server 


The Qualys API URL you should use for API requests depends on the Qualys platform where your 
account is located. 


Click here to identify your Qualys platform and get the API URL. 
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